An investigation by financial institutions into a recent security breach of private ATM card data points to the problem originating with one UAE-based bank, according to people familiar with the investigation into the problem. Sensitive information including personal identification numbers (PINs) and data from the black magnetic strip on the back of cards was stolen from the bank and then used to make large numbers of fraudulent transactions, mainly from other countries.
"We're quite close to having completed the case for the prosecution," said one banker, who spoke only on the condition neither he nor his bank be identified. "And we have a fairly clear idea of how this has occurred." Bankers believe that thieves breached a network that banks use to share ATM data. That exposed most, if not all, banks in the UAE to the fraud. A senior banker said the sheer complexity of the fraud and the amount of detailed knowledge lifted had all but ruled out as culprits computer hackers and conventional methods of fraud such as skimming, a practice that involves illegally attaching a cardreader to an ATM to collecting card information.
"If by hacker you mean someone who is externally breaking into a system electronically, I doubt very much that that's the case," he said, asking not to be named for security reasons. "This is more likely to be either an inside job or someone has gained access to a server or a bit of hardware for a period of time, which could be a service engineer or someone like this who has direct access," he added.
As the scale of the fraud has unfolded, some bankers have complained of a lack of guidance from the UAE central bank, whose duties include banking oversight. The sophistication of the fraudsters was unlike anything the country and the central bank had dealt with before, the senior banker said. There have been a number of breaches of ATM networks in the UAE in the past, but none has affected so many cardholders. "This is quite complex and quite sophisticated," the official said. "So one might imagine that the central bank is struggling to understand it."
In an email message to The National, the office of the governor of the central bank wrote that the current spate of fraudulent activity was outside its purview. "The said subject is related to banks' security systems, not the central bank," it said. Several banks said they were nearing the conclusion of their internal inquiries, the results of which would be shared with others in the industry. Any bank found responsible for the breach could be held liable for the losses, which have not yet been quantified.
A senior executive at another bank said his company had already engaged in talks with one bank thought to have been the origin of the breach. "There are discussions about compensation," he said. The police have yet to become involved in the investigation. Banks began sending mass text messages to hundreds of thousands of customers last week asking them to change their PIN codes last week, after fraudsters based in foreign countries made unlawful transactions from UAE accounts. Confusing messages and conflicting instructions by banks caused long customer queues at ATMs and generated considerable public uncertainty.
Some banks have restricted all or partial international usage of their cards, for example, while others have lowered their withdrawal limits without notifying customers. Banking sources said one bank told other financial institutions last week that it had begun an internal investigation after being notified of the breach by card networks and banks. An executive at a major bank questioned the wisdom of sending text messages, saying it caused undue panic since the losses that banks had incurred were relatively small. hnaylor@thenational.ae mjalili@thenational.ae
